Spring Security Handling @PreAuthorize Exception

[lfmparente]

Hi All,

Before all, I want to apologize for my bad English.

Well I'm trying to handle the @PreAuthorize exeception and redirect to my access denied page.


I have two things:

My custom access denied page that is configured and it's work fine. I have add

Code:

<mvc:view-controller path="/authzError" />

and the jspx, works perfectly except with de PreAuthorize.

I have put in a controller, on top of the method

Code:

@PreAuthorize("hasAuthority('ROLE_ADMIN')")

and it's throw an exception if I have another ROLE.

This is my full configuration:

in webmvc-config.xml:

Code:

<security:global-method-security pre-post-annotations="enabled" access-decision-manager-ref="skipMethodCallAccessDecisionManager"></security:global-method-security>

	<bean id="skipMethodCallAccessDecisionManager" class="com.org.security.SkipMethodCallAccessDecisionManager">
	    <constructor-arg>
	        <list>
	            <bean class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
	                <constructor-arg ref="expressionBasedPreInvocationAdvice"/>
	            </bean>
	            <!-- Insert RoleVoter if required -->
	            <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>         
	        </list>
	   </constructor-arg>
	</bean>
	
	<bean id="expressionBasedPreInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice">
	    <property name="expressionHandler" ref="expressionHandler"/>
	</bean>
	
	<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"/>

in applicationContext.xml

Code:

	<aop:aspectj-autoproxy/>
	<aop:config>
	    <!-- Intercept all relevant methods -->
	    <aop:pointcut id="myMethods"
	                  expression='execution(* com.org.scurity.*.*(..))'/>
	   	 <aop:advisor advice-ref="mySecurityInterceptor" pointcut-ref="myMethods"/>
	</aop:config>
	
	<!-- Configure custom security interceptor -->
	<bean id="mySecurityInterceptor"
	      class="org.com.security.MyMethodSecurityInterceptor">
	    <property name="securityMetadataSource">
	        <bean class="org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource">
	            <constructor-arg>
	                <bean class="org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory">
	                    <constructor-arg>
	                        <bean class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"/>
	                    </constructor-arg>
	                </bean>
	            </constructor-arg>
	        </bean>
	    </property>
	    <property name="validateConfigAttributes" value="false"/>
	    <property name="accessDecisionManager" ref="accessDecisionManager"/>
	    <property name="authenticationManager" ref="authenticationManager"/>
	</bean>
	
	<!-- Configure AccessDecisionManager -->
	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
	    <constructor-arg>
	        <list>
	            <bean class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
	                <constructor-arg>
	                    <bean class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice"/>
	                </constructor-arg>
	            </bean>
	        </list>
	    </constructor-arg>
	</bean>

and it's ok.... in my class SkipMethodCallAccessDecisionManager with a breakpoint in

Code:

	
    @Override
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes){
        try{
            super.decide(authentication, object, configAttributes);
        }catch(AccessDeniedException adex){
            logger.debug("Access Denied on:" + object);
            throw  new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.usernameNotFound",
                    new Object[]{authentication.getName()}, "L’utilisateur [{0}] ne possède pas les privilège suffisant pour accéder à cette ressource"));
        }
    }

the exception is caught in InvocableHandlerMethod.class:

Code:

catch (InvocationTargetException e) {
			// Unwrap for HandlerExceptionResolvers ...
			Throwable targetException = e.getTargetException();
			if (targetException instanceof RuntimeException) {
				throw (RuntimeException) targetException;

And in the browser I have the default error page.....

When and how I do redirect to my custom access denied page?


I need some help please



Thanks in advance.

Best regards.

[lfmparente]

Hi,

I think if I custom DefaultMethodSecurityExpressionHandler to chose my view... it's a good idea?

[lfmparente]

Ok I found and I solve this problem:

I have added one properties in webmvc-config.xml

Code:

<bean
		class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"
		p:defaultErrorView="uncaughtException">
		<property name="exceptionMappings">
			<props>
				<prop key=".DataAccessException">dataAccessFailure</prop>
				<prop key=".NoSuchRequestHandlingMethodException">resourceNotFound</prop>
				<prop key=".TypeMismatchException">resourceNotFound</prop>
				<prop key=".MissingServletRequestParameterException">resourceNotFound</prop>
				<prop key=".AccessDeniedException">authzError</prop>
			</props>
		</property>
	</bean>